In July 2009, the Privacy Commissioner of Canada published the results of an investigation it conducted into the privacy practices of the social networking site Facebook. A complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) in May 2008 triggered the investigation.
Regular readers of this column may recall that the investigation determined that of the 12 issues reviewed, four were found to be not well-founded, four were determined to be well-founded, with Facebook agreeing to make changes to their policies and/or practices, and four others were determined to be well-founded but were unresolved after extensive discussions with Facebook. The privacy commissioner indicated to Facebook that, after a 30? day period, she would determine whether to take the company to federal court in order to enforce her recommendations.
In August 2009, the commissioner reported that Facebook made a number of commitments on the four remaining items and that progress would be tracked by her office over a one-year period.
Follow-up review
In September 2010, the commissioner released the results of the follow-up review. The sharing of information with third-party application developers and transparency of privacy settings were two of the key items reviewed as were a number of concerns relating to the wording and language of Facebook’s privacy notice.
In reviewing the access to personal information by third-party developers, the commissioner expressed concern that “Facebook had no technical safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online friends” and that individuals were not notified about what and why personal information was accessed by those applications. Facebook now requires users’ express consent by means of clicking an “allow” button before permitting third-party applications to access personal information.
The transparency and accessibility of Facebook’s privacy settings continued to concern to the commissioner. The company made a number of changes to improve its practices; however, a number of other changes the company made after the initial investigation created new concerns. The term “Everyone” within the privacy setting originally meant everyone on Facebook; however, an expansion of the term meant that everyone on the Internet now would have access to users’ personal information. The commissioner also expressed concern about changes that prevented users from restricting public access to some categories of personal information. While this concern is currently limited to only four categories of information, the commissioner encouraged Facebook not to expand the use of the personal information these categories.
Next steps
The commissioner indicated that, due to their evolving nature, she will continue to monitor the ongoing changes at social networking sites, and, in particular, Facebook. She also noted that as a result of new complaints received by her office, investigations about Facebook’s invitation feature and social plug-ins have been initiated.
It is clear from this follow-up review and the fact that new complaints have arisen that social networking sites continue to be of interest to privacy advocates and privacy commissioners alike. The recurring themes of transparency and choice underline the challenges that organizations providing such services must manage, balancing the inherent nature of these applications; i.e. facilitating the sharing of information, and the need for individuals to have control over the personal information they share on these applications.
